2018: Meltdown and Spectre

Santa Clara University's CIO has notified the entire faculty, staff and student community of the latest security vulnerability that potentially affects all computing devices.

====

Colleagues,

I know that it’s the start of the quarter, and that you are very busy and have many competing demands for your time, but I ask that you please read at least the first part of this email (up until the FAQs) in its entirety.

As many of you may know by now, a number of technology companies have released announcements about two security vulnerabilities called Meltdown and Spectre. These vulnerabilities exploit a flaw in microprocessor design, and can possibly expose password and other sensitive information on any device that contains a computer chip. All Apple, Linux, and Windows-based computers are affected, as well as any device that features an Intel, AMD, Qualcomm, or ARM chip. Since numerous stories have been published in the last several days about these flaws, I will not go into further detail here; if you are interested in learning more, please read the FAQs below, or simply Google “meltdown spectre.”

Information Services staff have been closely monitoring this situation, and we have created a plan to address and mitigate (to the best of our ability) the risks posed to our technology environment. We will be patching our enterprise mission-critical assets first (servers, storage systems, and network components). Patches have been released for some microprocessors, and we have installed them in our development environment to test them. As additional patches are released, we will install, test, and deploy them as quickly as possible. These releases could occur at any point during the next several weeks.

Please be advised that we have established a critical update and patch window from 10:00 PM to 2:00 AM every night for the next two weeks (today through Sunday, January 21st). This means that some systems may not be available to you during this time.

Also, please be aware that this situation is very fluid, and some patches may break other software processes and functions, meaning that there may be additional patches that we will need to install at some point in the future.

We will be able to automatically deploy some patches to some University-owned computers within the next few weeks. For all Windows-based computers, we will need to physically visit your computer to install an additional update.

For now, we ask that you do the following:

For all devices (Apple, Dell, and other – desktops, laptops, tablets, and smart phones):

1) Reboot your device. Some people never power off their device, and some software and OS updates (and reminders to install updates) are triggered by a reboot. Periodically rebooting your computer/laptop/tablet/phone/etc. is a good idea anyway.

2) Reboot your device daily for the next couple of weeks. Numerous patches for numerous devices will be released in the following days, and it may be difficult to keep up with whether or not you need to download a patch. Rebooting your device should help insure that you are notified that an update is available.

3) If your device notifies you that an operating system or browser update is available, please install it. PLEASE NOTE: do not click on any link in any e-mail that you may receive that tells you that you need to update your computer or other device. We anticipate that there will be a number of phishing attempts that will try to get you to click on a link that redirects you to an unsecure website to harvest personally identifiable information, or one that will install malware on your computer.

If you use an Apple product (Mac, Macbook, iPad, or iPhone):

1) Please check to make sure that your device is running the latest OS/iOS release. If not, please install any update available for your device. If you don’t know how to check whether or not your device is running the latest software version, please contact the Technology Help Desk at x5700.

If you use a University-owned Windows-based computer (Dell desktop or laptop):

1) Check to see if you have BigFix installed on your University-owned computer. BigFix is software that is installed on many University-owned computers that allows us to update and automatically deploy patches to your computer. You can tell if you are running BigFix by looking at the bottom right corner of your computer screen. You will see a number of icons. Look for the following icon:

If you see this icon, it means that you have BigFix installed on your machine. We will be automatically pushing needed patches to your computer once they have been released and we have had a chance to test them. You do not need to do anything further.

If you do not see the BigFix icon, please contact the Technology Help Desk (x5700) or your school/college’s IT administrator.

2) Expect to get an email or phone call from us to schedule a time when we can physically visit your computer to install another needed patch (otherwise known as a firmware, or BIOS, update).

If you use a University-owned computer that runs Linux:

Please contact that Technology Help Desk at x5700, or your school/college’s IT administrator.

Please be aware that your browser(s) will also need to be updated. Please watch for an email from us later this week that will address browser updates.

REMEMBER: If you are in doubt about any of these instructions, please contact the Technology Help Desk at x5700.

While we thankfully do not have to physically visit every Mac on campus, the number of Windows-based computers that we need to physically touch is over 2,300 units. It will take us several months to patch all of our computers.

The timing of all of this is bad, being that it’s the start of the quarter; the magnitude of these flaws is immense – they affect nearly every chip produced since 1995; the number of University computers that need to be patched is very large; patches for many devices haven’t been released yet; and this situation is in flux. Consequently, on behalf of the professionals in my Division, I ask for your patience and understanding as we mitigate the risks associated with these security vulnerabilities as quickly as possible.

We are blessed to have the user community that we do. Thank you for your support – we appreciate it very much.